ISTQB® CT - Security Tester

Description

ISTQB® CT - Security Tester certification is aimed at software professionals who already have the ISTQB® Foundation certificate and looking for a deeper understanding of software testing to become a Security Tester.

The Security Tester qualification is aimed at people who have already achieved an advanced point in their careers in software testing and wish to develop further their expertise in automation testing.

Chapter 1: The Basis of Security Testing

Chapter 2: Security Testing Purposes, Goals and Strategies

Chapter 3: Security Testing Processes

Chapter 4: Security Testing Throughout the Software Lifecycle

Chapter 5: Testing Security Mechanisms

Chapter 6: Human Factors in Security Testing

Chapter 7: Security Test Evaluation and Reporting

Chapter 8: Security Testing Tools

Chapter 9: Standards and Industry Trends

Business outcomes

Passing this level demonstrates that candidates can:

• Understand the role of risk assessment in supplying information for security test planning and design and aligning security testing with business needs.
• Identify the significant assets to be protected, the value of each asset and the data required to assess the level of security needed for each asset.
• Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats.
• Understand the concept of security policies and procedures and how they are applied in information systems.
• Analyze a given set of security policies and procedures along with security test results to determine effectiveness. 
• Understand the purpose of a security audit.
• Understand why security testing is needed in an organization, including benefits to the organization such as risk reduction and higher levels of confidence and trust.
• Understand how project realities, business constraints, software development lifecycle, and other considerations affect the mission of the security testing team.
• Explain why security testing goals and objectives must align with the organization's security policy and other test objectives in the organization.
• For a given project scenario, demonstrate the ability to identify security test objectives based on functionality, technology attributes and known vulnerabilities.
• Understand the relationship between information assurance and security testing.
• For a given project, demonstrate the ability to define the relationship between security test objectives and the need for strength of integrity of sensitive digital and physical assets.
• Analyze a given situation and determine which security testing approaches are most likely to succeed.
• Analyze a situation in which a given security testing approach failed, identifying the likely causes of failure.
• For a given scenario, demonstrate the ability to identify the various stakeholders and illustrate the benefits of security testing for each stakeholder group.
• Analyze KPIs (key performance indicators) to identify security testing practices needing improvement and elements not needing improvement.
• For a given project, demonstrate the ability to define the elements of an effective security test proces.
• Analyze a given security test plan, giving feedback on strengths and weaknesses of the plan.
• For a given project, implement conceptual (abstract) security tests, based on a given security test approach, along with identified functional and structural security risks.
• Implement test cases to validate security policies and procedures.
• Understand the key elements and characteristics of an effective security test environment.
• Understand the importance of planning and obtaining approvals before performing any security test.
• Analyze security test results to determine the following:
  • Nature of security vulnerability
  • Extent of security vulnerability
  • Potential impact of security vulnerability
  • Suggested remediation
• Understand the importance of maintaining security testing processes given the evolving nature of technology and threats.
• Explain why security is best achieved within a lifecycle process.
• Implement the appropriate security-related activities for a given software lifecycle (e.g., iterative, sequential).
• Analyze a given set of requirements from the security perspective to identify deficiencies.
• Analyze a given design document from the security perspective to identify deficiencies.
• Understand the role of security testing during component testing.
• Implement component level security tests (abstract) given a defined coding specification.
• Analyze the results from a given component level test to determine the adequacy of code from the security perspective.
• Understand the role of security testing during component integration testing.
• Implement component integration security tests (abstract) given a defined system specification.
• Implement an end-to-end test scenario for security testing which verifies one or more given security requirements and tests a described functional process.
• Demonstrate the ability to define a set of acceptance criteria for the security aspects of a given acceptance test.
• Implement an end-to-end security retest/regression test approach based on a given scenario.
• Understand the concept of system hardening and its role in enhancing security AS-5.1.2 (K3) Demonstrate how to test the effectiveness of common system hardening mechanisms.
• Understand the relationship between authentication and authorization and how they are applied in securing information systems.
• Demonstrate how to test the effectiveness of common authentication and authorization mechanisms.
• Understand the concept of encryption and how it is applied in securing information systems.
• Demonstrate how to test the effectiveness of common encryption mechanisms.
• Understand the concept of firewalls and the use of network zones and how they are applied in securing information systems.
• Demonstrate how to test the effectiveness of existing firewall implementations and network zones.
• Understand the concept of intrusion detection tools and how they are applied in securing information systems.
• Demonstrate how to test the effectiveness of existing intrusion detection tool implementations.
• Understand the concept of malware scanning tools and how they are applied in securing information systems.
• Demonstrate how to test the effectiveness of existing malware scanning tool implementations.
• Understand the concept of data obfuscation tools and how they are applied in securing information systems.
• Demonstrate how to test the effectiveness of data obfuscation approaches.
• Understand the concept of security training as a software lifecycle activity and why it is needed in securing information systems.
• Demonstrate how to test the effectiveness of security training.
• Explain how human behavior can lead to security risks and how it impacts the effectiveness of security testing.
• For a given scenario, demonstrate the ability to identify ways in which an attacker could discover key information about a target and apply measures to protect the environment.
• Explain the common motivations and sources for performing computer system attacks (K4) Analyze an attack scenario (attack performed and discovered) and identify possible sources and motivation for the attack.
• Explain how security defenses can be compromised by social engineering.
• Understand the importance of security awareness throughout the organization.
• Given certain test outcomes, apply appropriate actions to increase security awareness.
• Understand the need to revise security expectations and acceptance criteria as the scope and goals of a project evolve.
• Understand the importance of keeping security test results confidential and secure. 
• Understand the need to create proper controls and data-gathering mechanisms to provide the source data for the security test status reports in a timely, accurate, and precise fashion (e.g., a security test dashboard).
• Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness.
• Explain the role of static and dynamic analysis tools in security testing.
• Analyze and document security testing needs to be addressed by one or more tools (K2) Understand the issues with open source tools.
• Understand the need to evaluate the vendor’s capabilities to update tools on a frequent basis to stay current with security threats.
• Understand the importance of keeping security test results confidential and secure. 
• Understand the need to create proper controls and data-gathering mechanisms to provide the source data for the security test status reports in a timely, accurate, and precise fashion (e.g., a security test dashboard).
• Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness.
• Explain the role of static and dynamic analysis tools in security testing.
• Analyze and document security testing needs to be addressed by one or more tools (K2) Understand the issues with open source tools.
• Understand the need to evaluate the vendor’s capabilities to update tools on a frequent basis to stay current with security threats.